summaryrefslogtreecommitdiffstats
path: root/docker
diff options
context:
space:
mode:
authorDamien Ciabrini <dciabrin@redhat.com>2017-08-02 06:13:48 -0400
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-08-11 04:26:41 +0000
commitac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3 (patch)
tree99e591640573294bd774b2a71c8627d5b50a6d90 /docker
parent0adf7553f489be0946e7f1c4f20fb4e97cee78c0 (diff)
Enable TLS configuration for containerized Galera
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the metadata service definition and update the Kolla configuration to make gcomm use TLS in containers, if configured. bp tls-via-certmonger-containers Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Closes-Bug: #1708135 Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814
Diffstat (limited to 'docker')
-rw-r--r--docker/services/pacemaker/database/mysql.yaml35
1 files changed, 35 insertions, 0 deletions
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index f12852f8..5042b438 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -40,6 +40,14 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -56,6 +64,10 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
outputs:
role_data:
description: Containerized service MySQL using composable services.
@@ -76,6 +88,13 @@ outputs:
- 4567
- 4568
- 9200
+ -
+ if:
+ - internal_tls_enabled
+ -
+ tripleo::profile::pacemaker::database::mysql_bundle::ca_file:
+ get_param: InternalTLSCAFile
+ - {}
step_config: ""
# BEGIN DOCKER SETTINGS #
puppet_config:
@@ -100,6 +119,20 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path: /etc/pki/tls/certs/mysql.crt
+ owner: mysql:mysql
+ perm: '0600'
+ optional: true
+ - path: /etc/pki/tls/private/mysql.key
+ owner: mysql:mysql
+ perm: '0600'
+ optional: true
docker_config:
step_1:
mysql_data_ownership:
@@ -174,6 +207,8 @@ outputs:
file:
path: /var/lib/mysql
state: directory
+ metadata_settings:
+ get_attr: [MysqlPuppetBase, role_data, metadata_settings]
upgrade_tasks:
- name: get bootstrap nodeid
tags: common